Particle.news

Summer.fi Loses $6M in Flash-Loan Vault Accounting Exploit

Security firms say a large flash loan was used to distort vault share accounting, with proceeds swapped into DAI and held in an attacker-controlled wallet.

Overview

  • Blockaid detected an active exploit and reported about $6 million drained from three Summer.fi contracts, publishing the affected contract addresses, an exploiter wallet and a sample transaction to help tracing.
  • Researchers from CertiK and Cyvers said the attacker used a roughly $64–65 million flash loan to manipulate vault share-accounting tied to FleetCommander and redeem excess value within a single transaction.
  • On-chain analysis shows the stolen assets were swapped into DAI and moved to the attacker-controlled address 0x7BF716167B48CF527725722C6d79494b45B3BDCa, leaving recovery prospects uncertain.
  • Summer.fi had not issued a full technical post-mortem when security firms published their findings, so the precise code-level root cause and remediation steps remain unconfirmed.
  • The incident, reported Monday, highlights the compounded risk of automated multi-protocol vaults where routing funds across lending and liquidity stacks widens the attack surface and can expose users to large single-transaction exploits.